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Motivation 


The  development  of  Cyber-Physical  Systems  (aircrafts,  cars,  trains, 
robots,  etc.)  increasingly  relies  on  many  types  of  analyses  from  different 
disciplines  for  assurance  purposes 

•  Control  stability,  scheduling,  logic,  thermal,  power,  aerodynamics,  etc. 

Large  CPS  are  integrated  out  of  components  developed  by  suppliers 
that  use  their  own  analysis  methods  and  make  their  own  assumptions 


Analysis  assumption  mismatches  are  discovered  late  in  the  system 
integration  phase 

•  Difficult  and  costly  to  solve 
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Boeing  787  Suppliers 


Mitsubishi 


Latecoere 


Source:  Boeing  /  Reuters 
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Analyses  Interactions 
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Source:  National  Renewable  Energy  Laboratory 
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Analysis  Contracts 
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Analysis  Contract  Scheme 


Model 


Analysis  1 


Analysis  2 


Analysis  3 


— 

Contract  1 

Contract  2 

Domain  1 

Domain  2 
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Contract  Language  &  Verification 


Contract  formulas 

•  Given  domain  o  =  (Ho-), 

•  Ta  V  vlt  ...,Vj  •  0  \  3vv  ...,Vj  •  0|Vv1#  •  0:013^,  •  0:0 

-  vt\ Ait  0:  static  (first  order)  formula 

-  0  :  LTL  formula 
Contract  C  =  (/,  0,4  0) 

•  I  q  (cA  u  .S’):  Sorts  and  properties  read  by  the  analysis 

•  0  c  (cA  u  <§■):  Sorts  and  properties  written  by  the  analysis 

•  A  Q  Ta:  assumptions:  must  be  true  in  input 

•  G  <=  Ta:  guarantees:  must  be  true  in  output 

Verification 

Contract  (&  analysis)  dependency:  d(Q,  Cj):  Q.  I  n  Cj.  0  ±  0 
First  order:  in  SMT  (Z3),  LTL  :  Model  checker 
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Example:  Surveillance  Aircraft 


Software 


Security:  Top  Secret  Security:  Secret 


Processors 
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Batterv 


Software  Engineering  Institute 


Analysis 

Security:  tasks  of  different  level 
to  different  processor 

Scheduling:  meet  all  deadlines 

Freq.  Scaling:  minimize  power 

Logic:  no  deadlocks  or  race 
conditions 

Battery  scheduling:  meet 
battery  lifetime 

Battery  thermal:  no  runaways 
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Surveillance  Aircraft  Contracts 

Security  Analysis 

•  Ansec  .C:I  =  { T ,  ThSecCi},  0  =  { NotColoc],A  =  0,G  =  {g} 

-  g\  V  tlft2  •  ThSecCl(t1)  ^  ThSecCl(t2)  =>  tx  G  NotColoc(t2 ) 

Multiprocessor  scheduling:  (Binpacking  +  scheduling) 

•  Ansched.C:  I  =  {T ,C,  NotC oloc,  Per,  WCET ,Dline},0  =  {CPU Bind],  A  =  0,  G  =  [g] 

-  g\  V  t±,t2  ■  6  NotColoc(t 2)  =>  CPUBind^ti)  ^  CPUBind(t2 ) 

Frequency  Scaling 

•  Arifreqsc.C:  I  =  {T,  C,  CPU  Bind,  Dline},0  =  { CPUFreq},G  =  0,  A  =  {a} 

-  a:  Vt-L,  t2  •  CPUBindit-d)  —  CPUBind(t2)m.  G^CanPrmpt^,^)  =>  Dline <  Dline(t2 ) 

Model  checking  periodic  program  (REK): 

•  Anrek.C:I  =  [T,  C,  Per,  Dline,  WCET,  CPU  Bind],  0  =  [ThSafe],  G  —  0,A  —  {alfa2} 

•  di.Vt  • Per(t )  =  Dline(t),  a2\Vt1,t2  •  G(Canprmpt(t1,t2')  =>  G  -\CanPrmpt(t2,t1)') 

Thermal  runaway: 

•  Antherm.C:  I  =  {B,BatRows,BatCols,Voltage},0  =  {K},A  =  0,  G  =  0 

Battery  Scheduling 

•  Anbsched.C\  I  =  [B,  BatRows,  BatCols},0  = 
{BatConnSchedPol,HasReqLifetime,SeriqlReq,ParalRea},A  —  0,G  —  {g} 

•  g:  G(K( 0)  X  7W(0)  +  K{  1)  X  TN{  1)  +  /f(2)  X  7W(2)  +  AT(3)  X  7W(3)  >  0) 
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Frequency  Scaling  Assumption 

a:  Vt1;  t2  •  CPUBind(t x)  =  CPUBind(t2)\  G{CanPrmpt{t1,t2)  =>  Dline{t x)  <  Dline{t2) 


DMS^RMS 
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EDF^RMS 
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Cells  w  3  neighbors  TN(3) 


Battery  Scheduling  Assumption 

g\  G(K( 0)  x  TN( 0)  +  K(  1)  x  TJV(  1)  +  K( 2)  x  TN( 2)  +  ^(3)  x  7W(3)  >  0) 

Ratio  of  cells  with  0,1 ,2,3  neighbors:  1  •  7W(1 )  -  1  •  TN(2 )  +  10  •  7W(3)  >0 


1*4-1*  10 +  10  *2  =  14  >0 


QOOO 


QOOO 


QOOO 


1  •  2  -  1  •  14  +  10  *  0  =  -12  <  0 
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Cells  w  1  neighbors  TN(1) 


Cells  w  2  neighbors  TN(2) 
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Analyses  Dependencies 
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Implementation 


Models  in  the  Architecture  Analysis  and  Design  Language  (AADL) 

•  Supports  multiple  analysis 

•  Supports  language  extensions  (subannexes) 

•  OSATE  Implementation 
Analysis  Contract  Annex 

•  Implement  contract  language 

•  Generates  model  interpretation 
Contract  formulas  verification 

•  First  Order  Logic  (Static):  SMT  /  Z3 

•  LTL  (Runtime):  Model  checking  /  SPIN 


I.  Ruchkin,  D.  de  Niz,  S.  Chaki,  and  D.  Garlan.  “Contract-Based 
Integration  of  Cyber-Physical  Analyses.”  EMSOFT  2014. 
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Contact  Information 

Dionisio  de  Niz 

Senior  MTS 
CSD/CSC 

Telephone:  +1  412-268-9002 
Email:  dionisio@sei.cmu.edu 


Web 

www.sei.cmu.edu 

www.sei.cmu.edu/contact.cfm 


U.S.  Mail 

Software  Engineering  Institute 
Customer  Relations 
4500  Fifth  Avenue 
Pittsburgh,  PA  15213-2612 
USA 

Customer  Relations 

Email:  info@sei.cmu.edu 
Telephone:  +1  412-268-5800 

SEI  Phone:  +1  412-268-5800 

SEI  Fax:  +1  412-268-6257 
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